Article Details

Coinbase confirms insider staffers handed over data of 70,000 users. Bribed support staff were identified and fired. Coinbase says the data of nearly 70,000 customers was handed over by overseas support staff who were bribed by criminals to give up the goods. The crypto giant confirmed 69,461 users would be receiving direct communications from the company about the attack in a notification filed with Maine's Attorney General on Tuesday. According to the filing, the breach took place on December 26, 2024, but wasn't discovered until May 11. Coinbase publicly acknowledged the attack via a Form 8-K filing with the Securities and Exchange Commission (SEC) on May 15, adding that the crooks behind it tried extorting the company for $20 million. Much of the information included in the sample letter to affected individuals restated info given in the earlier SEC filing, including the data types potentially stolen. To recap, these were: "This information did not include your password, seed phrase, private keys, or any other information that would allow someone to directly access your account or your funds, and Coinbase Prime was untouched," the letter read. Overseas support staff involved in facilitating the data theft had all been fired, Coinbase confirmed. It is not known how much they were paid. Coinbase has also not yet specified which country the support staff worked from, although active job boards show some support roles for the massive US cryptocurrency exchange are based in the UK, Ireland, India, the Philippines, and Japan. The expected cost of remediating the attack stands between $180 million and $400 million, Coinbase said in its SEC filing, although the full extent of the damage is still being investigated. CEO Brian Armstrong released a video to social media apologizing to customers for the impact on them and promised to pursue all avenues available to the company to bring those responsible to justice. This included setting up a $20 million bounty for information that could lead to the attackers' arrest and conviction. Coinbase said it would be "making customers whole" as it is aware that some customers were successfully socially engineered by the attackers using the data stolen via the support staff.  To that end, customers who haven't yet been targeted were advised to remain vigilant against potential further criminal activity and targeting, as well as upping the security of their accounts. Implementing protections such as strong 2FA (hardware keys are the preferred choice here) and Withdrawal Allow Listing – a setting that allows withdrawals only from wallets explicitly trusted by the user were also encouraged. Affected customers were offered one year of identity protection and credit monitoring services through IDX, which is standard practice following such events. Instructions on how to claim this are included in the letters Coinbase sent to users.